What is meant by the term Brute Force Attack?

The term 'brute force attack' in its most basic form is an attack that uses trial and error to guess possible combinations. This can encompass several forms such as attempting to find hidden web pages or encryption keys. The term most commonly refers to an automated password guessing attack against a service where an attacker will submit a large list of common usernames and password combinations to the service in quick succession. This usually involves some prior enumeration of the target service and its use case.

Brute Force Attack example

This attack is often a result of broken authentication in the application. Broken authentication is a term used to describe a weakness in the design or implementation of access controls. For example, an application response can confirm a valid user name parameter, or the controls permit the setting and use of 'weak' passwords.

A term often associated with broken authentication is broken access control, this is a description of weaknesses in the enforcement of permissions within the constraints of the user. For example, the ability to access another users data by changing a users identity description parameter (parameter tampering) is a result of a weakness in the access controls.

How to prevent a Brute Force Attack

Steps that can be taken to resolve these authentication weaknesses are to ensure strong complex passwords are enforced, also to limit the number of access attempts that can be sent within a specified time limit (known as rate-limiting), a further addition to this is to implement 'IP blocking' where traffic from an address that has exceeded the rate limit control is prevented from further attempts for a set period.

Another control could be the implementation of a 'Captcha' (Completely Automated Public Turing Test to Tell Computers and Humans Apart) that will help to prevent a high-speed attack on a service.

If you like this blog post, find more content in our Glossary.